1. SELinux problems

Please forgive me if this is the wrong forum for a bug report...

Has anyone tried running exu on a system running SELinux?  I use Fedora 9 / KDE
and I keep seeing the attached message (this example is when running
demo/sanity.ex).

Thanks,

Nathan

-------------------------------------------------------
--exu error message
                   Euphoria SANITY TEST ...
sanity.ex:963 in procedure machine_level()
A machine-level exception occurred during execution of this statement

... called from sanity.ex:1247 in procedure sanity()

... called from sanity.ex:1302

--> See ex.err

-----------------------------------------------------------
SELinux report:
Summary:

SELinux is preventing exu from changing the access protection of memory on the
heap.

Detailed Description:

The exu application attempted to change the access protection of memory on the
heap (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If exu does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you want exu to continue, you must turn on the allow_execheap boolean. Note:
This boolean will affect all applications on the system.

Fix Command:

setsebool -P allow_execheap=1

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        exu
Source Path                   /home/Nathan/Download/euphoria/bin/exu
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-62.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execheap
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.4-30.fc9.i686
                              #1 SMP Wed May 21 18:12:35 EDT 2008 i686 i686
Alert Count                   211
First Seen                    Wed 21 May 2008 01:55:22 AM EDT
Last Seen                     Wed 21 May 2008 02:02:14 AM EDT
Local ID                      3d4cac42-3335-45e6-b187-58cc1a855c6b
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1211349734.334:340): avc:  denied 
{ execheap } for  pid=2196 comm="exu"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1211349734.334:340):
arch=40000003 syscall=125 success=no exit=-13 a0=851e000 a1=1000 a2=7 a3=851eec0
items=0 ppid=2162 pid=2196 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=pts2 ses=1 comm="exu"
exe="/home/Nathan/Download/euphoria/bin/exu"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

new topic     » topic index » view message » categorize

2. Re: SELinux problems

Has this issue been looked into? If so, was it determined that it can't/wont be fixed? Or am I experiencing a new problem much like an old one? On Fedora 22 with SELinux turned on, *eui* is causing this error today. I didn't notice this earlier in the week because my other VM with Fedora installed had SELinux turned off. For the moment, I've disabled SELinux on my VM so that I can continue my project for the next day or so as I explore if Euphoria is a good fit for this new project.

This type of error would be alarming for sysadmins considering Euphoria in the work place.

new topic     » goto parent     » topic index » view message » categorize

3. Re: SELinux problems

xecronix said...

Has this issue been looked into? If so, was it determined that it can't/wont be fixed? Or am I experiencing a new problem much like an old one? On Fedora 22 with SELinux turned on, *eui* is causing this error today. I didn't notice this earlier in the week because my other VM with Fedora installed had SELinux turned off. For the moment, I've disabled SELinux on my VM so that I can continue my project for the next day or so as I explore if Euphoria is a good fit for this new project.

This should have been fixed, years ago, with the adoption of DEP-aware code and the new allocate_code() routine.

What's the exact command line you are passing to eui to get this error?

xecronix said...

This type of error would be alarming for sysadmins considering Euphoria in the work place.

Agreed.

new topic     » goto parent     » topic index » view message » categorize

4. Re: SELinux problems

I found this link via google. http://danwalsh.livejournal.com/6117.html?thread=23525 Not sure if it helps but, a comment suggests that this may boil down to a Makefile problem if it is related to -fPIC

new topic     » goto parent     » topic index » view message » categorize

5. Re: SELinux problems

This is how I installed Euphoria: How to Compile Open Euphoria On Linux

This is the development version of Euphoria I downloaded so that I can compile Euphoria (also causes SELinux to complain)

[ronald@localhost bin]$ ./eui 
Euphoria Interpreter v4.1.0 development 
   64-bit Linux, Using System Memory 
   Revision Date: 2012-05-30 12:24:02, Id: 5567:cbe08aedf560 
 

This is how I can reproduce the problem

[ronald@localhost ~]$ eui 
Euphoria Interpreter v4.1.0 development 
   64-bit Linux, Using System Memory 
   Revision Date: 2015-08-02 10:59:17, Id: 6336:e92935807c7b 
 

Here is some more info about my particular issue.

Additional Information: 
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 
                              023 
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 
                              023 
Target Objects                Unknown [ process ] 
Source                        eui 
Source Path                   eui 
Port                          <Unknown> 
Host                          localhost.localdomain 
Source RPM Packages            
Target RPM Packages            
Policy RPM                    selinux-policy-3.13.1-128.10.fc22.noarch 
Selinux Enabled               True 
Policy Type                   targeted 
Enforcing Mode                Enforcing 
Host Name                     localhost.localdomain 
Platform                      Linux localhost.localdomain 4.1.5-200.fc22.x86_64 
                              #1 SMP Mon Aug 10 23:38:23 UTC 2015 x86_64 x86_64 
Alert Count                   763 
First Seen                    2015-08-22 05:51:18 EDT 
Last Seen                     2015-08-22 15:53:42 EDT 
Local ID                      88420203-0087-407d-9688-5b0e8c70df66 
 
Raw Audit Messages 
type=AVC msg=audit(1440273222.737:707): avc:  denied  { execheap } for  pid=2597 comm="eui" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 
 
 
Hash: eui,unconfined_t,unconfined_t,process,execheap 

new topic     » goto parent     » topic index » view message » categorize

6. Re: SELinux problems

This is a very clean Fedora 22 install BTW.

  • downloaded the latest Fedora last night
  • installed Fedora on new VM
  • ran dnf upgrade to get anything else that might be new
  • installed Virtual Box Guest additions
  • Installed Euphoria

Nothing else happened on this box prior to the error.

  • Virtual Box 5.0.3
  • Guest Fedora 22
  • Host Windows 10
new topic     » goto parent     » topic index » view message » categorize

7. Re: SELinux problems

xecronix said...

This is the development version of Euphoria I downloaded so that I can compile Euphoria (also causes SELinux to complain)

[ronald@localhost bin]$ ./eui 
Euphoria Interpreter v4.1.0 development 
   64-bit Linux, Using System Memory 
   Revision Date: 2012-05-30 12:24:02, Id: 5567:cbe08aedf560 
 

I had technical difficulties getting a 64bit version of Fedora set up in VirtualBox, but I tried the 32bit version of Fedora 22 with the latest 32bit eubin at http://openeuphoria.org/eubins/linux/4.1.0/32-bit/eubin-2011-06-29-3739d931e005.tar.gz and sestatus reports that SELinux is on. At least on the 32bit platform, this problem is not reproducible.

I'll give the 64bit version another try in a day or two.

new topic     » goto parent     » topic index » view message » categorize

8. Re: SELinux problems

xecronix said...

I found this link via google. http://danwalsh.livejournal.com/6117.html?thread=23525 Not sure if it helps but, a comment suggests that this may boil down to a Makefile problem if it is related to -fPIC

Just tried this on Fedora 22 64-bit, but I still could not reproduce the issue.

new topic     » goto parent     » topic index » view message » categorize

9. Re: SELinux problems

I'll go through the exercise again tonight but this time in a different order:

  • Create new Virtualbox machine
  • Download latest Fedora Distribution
  • Install Fedora 22 64 Bit
  • `sudo dnf upgrade` to get the latest updates.
  • Unzip/Install OpenEuphoria 64 Bit
  • Check for SELinux Problem

If no SELinux Problems:

  • Run through these docs "How to Compile Open Euphoria On Linux" using the above installed binary release to translate code. (This step may require software installs. At the very least hg will be needed. I'll report back if I need to install anything else to compile.)
  • Check for SELinux Problem

If no SELinux Problems:

  • Install the Virtualbox Guest Additions
  • Check for SELinux Problem

Thanks for taking the time to look into this.

new topic     » goto parent     » topic index » view message » categorize

10. Re: SELinux problems

xecronix said...

Thanks for taking the time to look into this.

Thank you for taking the time to discover and report this.

xecronix said...

I'll go through the exercise again tonight but this time in a different order:

If you do find a problem, would it be possible to put the complete image somewhere so I can run it myself? That might make it a lot easier for me to reproduce and resolve this problem.

new topic     » goto parent     » topic index » view message » categorize

11. Re: SELinux problems

I am able to reproduce.

  • create new Virtualbox VM
  • Unzip/Install OpenEuphoria 64 Bit
  • ./eui while in the OpenEuphoria bin dir
  • su root
  • cat /var/log/audit/audit.log | grep eui
  • Observe many denial messages

Upgrade Try again

  • dnf upgrade
  • reboot
  • ./eui while in the OpenEuphoria bin dir
  • su root
  • cat /var/log/audit/audit.log | grep eui
  • Observe many denial messages

At this point I stopped testing so that I can figure out how and where to share the VM with you. The VM is compressing right now. I'll put it somewhere you can get it. Please contact me with a gmail account when you're ready.

Also the above screen shots do not always happen when you try to run eui. But regardless as to whether or not you see the popup you can consistently find the issue in the logs.

  • su root
  • cat /var/log/audit/audit.log | grep eui
new topic     » goto parent     » topic index » view message » categorize

12. Re: SELinux problems

xecronix said...

I am able to reproduce.

  • cat /var/log/audit/audit.log | grep eui

Ah. I never got a pop up, but I see the messages in the audit log for 64bit.

I believe this line is the culprit: http://scm.openeuphoria.org/hg/euphoria/annotate/e92935807c7b/source/be_machine.c#l859

Can you comment this line out, rebuild, and retest the newly built binary?

xecronix said...

At this point I stopped testing so that I can figure out how and where to share the VM with you. The VM is compressing right now. I'll put it somewhere you can get it. Please contact me with a gmail account when you're ready.

Follow the instructions at http://openeuphoria.org/wiki/view/Contact%20Administrators.wc

new topic     » goto parent     » topic index » view message » categorize

13. Re: SELinux problems

jimcbrown said...

Ah. I never got a pop up, but I see the messages in the audit log for 64bit.

I believe this line is the culprit: http://scm.openeuphoria.org/hg/euphoria/annotate/e92935807c7b/source/be_machine.c#l859

Can you comment this line out, rebuild, and retest the newly built binary?

I commented out that line of code, re-enabled SELinux, rebooted, and retested using the VM that I originally was using when I reported the problem. This seemed to fix the problem. After the someone checks in the change, if applicable, let me know. I'd be happy continue installing Euphoria from source on the sandbox VM I created specifically for testing this problem.

new topic     » goto parent     » topic index » view message » categorize

14. Re: SELinux problems

xecronix said...

After the someone checks in the change, if applicable, let me know. I'd be happy continue installing Euphoria from source on the sandbox VM I created specifically for testing this problem.

This change has now been checked in: http://scm.openeuphoria.org/hg/euphoria/rev/4ba858266107

new topic     » goto parent     » topic index » view message » categorize

15. Re: SELinux problems

jimcbrown said...

This change has now been checked in: http://scm.openeuphoria.org/hg/euphoria/rev/4ba858266107

I feel like this issue is resolved at this point. Thanks for you efforts and quick response.

new topic     » goto parent     » topic index » view message » categorize

Search



Quick Links

User menu

Not signed in.

Misc Menu